4/01/2009 @ 8:40PM

The Senate's Cyber Lightning Rod

If the Bush administration’s $30 billion classified cyber defense initiative last year seemed controversial, prepare for a new round of battles over security, privacy and civil liberties in the digital realm.

A new Senate bill introduced Wednesday is poised to extend federal cybersecurity regulations further into the private sector than ever before, and it is already sparking confusion and criticism among watchdog groups.

The bill, authored by Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, moves cybersecurity authority to an as-yet-unnamed cyber adviser who will report to the president. The wide-ranging measures also include sweeping new regulations to plug the vulnerabilities in both government and the private sector that could leave the nation open to cyber attacks or data theft.

In fact, the new provisions go beyond extending security rules to all government agencies, government contractors and software vendors selling to those groups. They would also be stretched to the private sector’s so-called “critical infrastructure” companies–those typically deemed crucial for national security.

But given that the words “critical infrastructure” aren’t defined in the bill, Center for Democracy and Technology (CDT) President Leslie Harris argues the new regulations could cover not just water distribution, the power grid and banks, but also telecommunications, Internet service providers and even Internet application companies like
Google
and
Microsoft
.

“The language is vague and open ended,” Harris says. “If you read broadly and the Internet falls under this, it could be devastating to both innovation and civil liberties.”

Broad-brush cyber regulation of private industry would limit companies’ ability to develop new practices and products, according to Harris, and they could also invade those companies’ privacy and the privacy of their users.

She points to a provision in the bill designed to facilitate sharing of information between the government and private companies, giving the U.S. Department of Commerce seemingly unadulterated power to monitor companies’ networks.

Referring to “ federal government and private-sector owned critical information systems and networks,” the bill stipulates, “the Secretary of Commerce shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule or policy restricting such access.”

Katie Martin, director of the Center for National Security Studies, calls that paragraph “troubling” and “ambiguous.” “Although it’s not clear, it seems to override all privacy protections that cover citizens’ activities on the Internet,” she says.

To add more confusion to the bill’s intentions, Martin points out that another section calls for a review of federal privacy laws, seemingly with the goal of revamping those decades-old pieces of legislation to make them more relevant to protecting users’ privacy on the Internet. “The bill appears to give the Secretary of Commerce the ability to access personal identifiable information about Americans,” she says. “But this review of privacy laws means that it may not have meant to do that.”

Despite its hazy language and controversial measures, the bill’s overall mission of extending federal cybersecurity to parts of the private sector is badly needed, argues Alan Paller, director of the security-focused SANS Institute.

In 2007, Paller told Forbes that multiple utility companies had suffered from extortion by hackers in recent years. Later that year, the CIA revealed that hackers had caused multiple blackouts in cities outside the United States.

Those signs of a growing threat to critical infrastructure mean that new regulatory standards should be extended to the energy industry, banks and telecom companies, Paller argues.

But Wednesday’s bill, he admits, needs work. “There’s clarification to be done before it gets passed. Everyone knows this is a work in progress,” Paller says. “But this is a brilliant idea. It needs to happen.”

A statement from the Senate’s Commerce Committee on behalf of Snowe and Rockefeller acknowledged that the bill likely will have detractors. “This legislation is the very beginning of the process–the objective of this cybersecurity bill is to start the debate,” the statement said. “Chairman Rockefeller encourages comments from all parties. He is sitting down with stakeholders already and he welcomes input from those who have concerns about this legislation and those who are supportive.

One such “concern” is another section of the bill that calls for federal government to maintain greater control of the Internet Assigned Names Authority and create a more secure Domain Name System. Those provisions, argues Jim Harper, director of Information Policy Studies at the Cato Institute, are intended to give the federal government tighter control over the Internet’s domain registration, but they could harm privacy and ruffle feathers internationally.

While more U.S. government control over who can register domain names could potentially prevent malicious site registrations, Harper argues that the measures could threaten the anonymity of site owners and destroy the perception of the Internet’s international independence. “The world community will regard this as a U.S. federal takeover of the Internet,” Harper says. “This starts a battle that we don’t need.”

Issues like domain names and privacy mean Rockefeller and Snowe’s bill–necessary or not–is likely to face tough review before it reaches the Senate floor. “We want to make some significant changes to this before it goes forward,” says the CDT’s Harris. “Were going to make our concerns heard loudly.”